Privilege Escalation via Account Takeover on NodeBB Forum Software (512$)

InfoSec Write-ups – Medium–

Privilege Escalation via Account Takeover on NodeBB Forum Software — Bug Bounty (512$)

Hello Guys !

I hope you all doing well. ✌️

About a month ago, I told you that I found an Account Takeover vulnerability in a web application as in the screenshot below. With the new patch coming to the web application with the vulnerability, I can now share with you how I found the vulnerability.

This is my first bug bounty write-up so im writing P1 qualified vulnerability.,

Lets talk about it.

When I made the tests for NodeBB forum software, I found that the password of the every user account can be changed.

Now I will tell you the steps to exploit this vulnerability.

First of all, to determine the “admin” user’s uid :

https://try.nodebb.org/uid/*

I tried numbers on the place marked with an asterisk(*) and I find that the uid value of the admin account is 1.

https://try.nodebb.org/uid/1 -> https://try.nodebb.org/user/admin

2- I created a user whose name is “testuser1” for myself.

3- I went to the password change page from my user profile and i entered our current password in the first box.Then I wrote in the second and third boxes that the passwords which we want to change.

4- Then, before press the submit button, I opened the Burp Suite, which has a proxy options and I replaced the uid value on the request with 1, which is the uid value of the admin user, and I sent the request.